CONDITIONAL_BARE_VARS deprecation fix in when condition

Signed-off-by: Norman Bestfleisch <norman.bestfleisch@netresearch.de>
dev-sec · Jun 7, 2019 · 77b02f8 · 77b02f8
1 parent d6ec19e
commit 77b02f8
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 9 deletions.
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
@@ -26,7 +26,7 @@
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'
   notify: restart sshd
-  when: ssh_server_hardening
+  when: ssh_server_hardening | bool
 
 - name: create sshd_config and set permissions to root/600
   template:
@@ -37,7 +37,7 @@
     group: '{{ ssh_group }}'
     validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
   notify: restart sshd
-  when: ssh_server_hardening
+  when: ssh_server_hardening | bool
 
 - name: create ssh_config and set permissions to root/644
   template:
@@ -46,7 +46,7 @@
     mode: '0644'
     owner: '{{ ssh_owner }}'
     group: '{{ ssh_group }}'
-  when: ssh_client_hardening
+  when: ssh_client_hardening | bool
 
 - name: Check if {{ sshd_moduli_file }} contains weak DH parameters
   shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
@@ -67,9 +67,9 @@
 - name: include tasks to setup 2FA
   include_tasks: 2fa.yml
   when:
-    - ssh_use_pam
-    - ssh_challengeresponseauthentication
-    - ssh_google_auth
+    - ssh_use_pam | bool
+    - ssh_challengeresponseauthentication | bool
+    - ssh_google_auth | bool
 
 - name: include selinux specific tasks
   include_tasks: selinux.yml

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,4 +1,4 @@
 ---
 
 - include_tasks: hardening.yml
-  when: ssh_hardening_enabled
+  when: ssh_hardening_enabled | bool
diff --git a/tasks/selinux.yml b/tasks/selinux.yml
@@ -57,10 +57,10 @@
   - name: install selinux policy
     command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
 
-  when: not ssh_use_pam and ssh_password_module.stdout.find('ssh_password') != 0
+  when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
 
 # The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
 # See http://danwalsh.livejournal.com/12333.html for more info
 - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
   command: semodule -r ssh_password
-  when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0
+  when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0